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Embedded Anti- Virus Scanner for a Network 

Adapter 

5 Field of the Invention 

The present invention relates to network adapters, and more particularly to 
interfacing with computers. 

Background of the Invention 

In computer networks, a host computer system is normally connected to the 
network by a network adapter. In some designs, the network adapter is a board that 
plugs into the backplane bus of the host computer system. In other designs, the network 
adapter is built into the CPU motherboard. The host computer system typically includes 
a device driver which operates the network adapter. 

Computer networks transfer data from one network node to another in the form 
of packets. For the purposes here, packets may include information for all layers of the 
ISO/OSI model at and above the data link layer. The network adapter transmits packets 
from the host computer system onto the network, and delivers packets from the network 
to the host computer system. 

During operation, the host computer system produces two types of host memory 
25 buffers that are consumed by the network adapter: (1) transmit buffers containing 
packets to be transmitted onto the network, and (2) receive buffers to hold packets 
received from the network. The host computer system notifies the network adapter when 
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either type of host memory buffer is produced. Similarly, the network adapter notifies 
the host computer system when it finishes consuming either type of buffer. 

For example, to transmit a packet onto the network, the host computer system 
produces a transmit buffer by allocating a host memory buffer from a free pool of 
memory buffers, and writing the packet to the host memory buffer. The host computer 
system then notifies the network adapter that the transmit buffer has been produced (the 
packet is ready for transmission). The network adapter consumes the transmit buffer by 
transmitting the packet onto the network. The network adapter then notifies the host 
computer system that the buffer has been consumed (transmission has completed). 

To receive a packet from the network, the host computer system first produces a 
receive buffer by allocating a host memory buffer into which a packet from the network 
may be received. The host computer system then notifies the network adapter that the 
receive buffer has been produced. When the network adapter subsequently receives a 
packet from the network to be stored in host memory, it consumes the receive buffer by 
writing the packet to it. The network adapter then notifies the host that the receive 
buffer has been consumed (the packet has been received). 

When the host computer system is notified that a host memory buffer has been 
consumed (either a transmit buffer or a receive buffer), it completes the processing of 
that host memory buffer. The host computer system completes processing a consumed 
transmit buffer by returning the transmit buffer to the free pool of host memory buffers. 
The host computer system completes processing a consumed receive memory buffer by 
delivering the received packet to the appropriate user process, and then returning the 
receive buffer to the free pool of host memory buffers. 
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The host computer system typically notifies the network adapter after each host 
memory buffer has been produced by writing a register on the network adapter. The 
network adapter typically notifies the host computer system after each host memory 
buffer has been consumed by sending an interrupt to the host processor in the host 
computer system. 

To date, there has been no meaningful extension of the capabilities of network 
adapters to accomplish other tasks such as contributing to network security. 
Conventionally, the network adapter is often the ingress point for many untrusted files 
and data, which may proliferate a virus on the associated computer. Unfortunately, such 
ingress point fails to provide any security features to prevent an attack on the computer. 
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Disclosure of the Invention 



A network adapter system and associated method are provided. The network 
adapter system includes a processor positioned on a network adapter coupled between a 
computer and a network. Such processor is configured for scanning network traffic 
transmitted between the computer and the network. 

In one embodiment, the processor is capable of being user-configured. Further, 
the processor is capable of being user-configured locally and/or remotely via a network 
connection with the network adapter. Still yet, the processor is capable of being user- 
configured only after the verification of a password. 

In another embodiment, the manner in which the scanning is performed is 
capable of being user-configured. Further, the settings of the network adapter are 
capable of being user-configured. 

In still another embodiment, the processor is capable of determining whether 
received packets are of interest. Such determination as to which received packets are of 
interest may be based on a protocol associated with the packets. 

In use, the processor is capable of passing received packets that are not of 
interest to the computer. Further, processor is capable of scanning received packets that 
are of interest. The processor is then further capable of denying received packets that 
fail the scan. 
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Brief Description of the Drawings 



Figure 1 illustrates a network architecture, in accordance with one embodiment. 

Figure 2 shows a representative hardware environment that may be associated 
with the data server computers and user computers of Figure 1, in accordance with one 
embodiment. 

Figure 3 illustrates an exemplary network adapter that may be coupled between a 
computer and a network like those shown in Figures 1 and 2. 

Figure 4 illustrates a method for scanning incoming data utilizing a network 
adapter. 

Figure 5 illustrates a method for configuring a network adapter scanner, in 
accordance with one embodiment. 
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Description of the Preferred Embodiments 



Figure 1 illustrates a network architecture 100, in accordance with the one 
embodiment. As shown, a plurality of networks 102 is provided. In the context of the 
present network architecture 100, the networks 102 may each take any form including, 
but not limited to a local area network (LAN), a wide area network (WAN) such as the 
Internet, etc. 

Coupled to the networks 102 are data server computers 104 which are capable of 
communicating over the networks 102. Also coupled to the networks 102 and the data 
server computers 104 is a plurality of end user computers 106. In the context of the 
present description, a computer may refer to any web server, desktop computer, lap-top 
computer, hand-held computer, printer or any other type of hardware/software. 

In order to facilitate communication among the networks 102, at least one 
gateway 108 is coupled therebetween. It should be noted that each of the foregoing 
network devices as well as any other unillustrated devices maybe interconnected by 
way of a plurality of network segments. In the context of the present description, a 
network segment includes any portion of any particular network capable of connecting 
different portions and/or components of a network. 

Figure 2 shows a representative hardware environment that may be associated 
with the data server computers 104 and/or end user computers 106 of Figure 1, in 
accordance with one embodiment. Such figure illustrates a typical hardware 
configuration of a workstation in accordance with a preferred embodiment having a 
central processing unit 210, such as a microprocessor, and a number of other units 
interconnected via a system bus 212. 



NAI1P056/0L187.01 



The workstation shown in Figure 2 includes a Random Access Memory (RAM) 
214, Read Only Memory (ROM) 216, an I/O adapter 218 for connecting peripheral 
devices such as disk storage units 220 to the bus 212, a user interface adapter 222 for 
connecting a keyboard 224, a mouse 226, a speaker 228, a microphone 232, and/or other 
user interface devices such as a touch screen (not shown) to the bus 212, communication 
adapter 234 for connecting the workstation to a communication network 235 (e.g., a 
data processing network) and a display adapter 236 for connecting the bus 212 to a 
display device 238. 

The workstation may have resident thereon an operating system such as the 
Microsoft Windows NT or Windows/95 Operating System (OS), the IBM OS/2 
operating system, the MAC OS, or UNIX operating system. It will be appreciated that a 
preferred embodiment may also be implemented on platforms and operating systems 
other than those mentioned. A preferred embodiment may be written using JAVA, C, 
and/or C++ language, or other programming languages, along with an object oriented 
programming methodology. Object oriented programming (OOP) has become 
increasingly used to develop complex applications. 

Figure 3 illustrates an exemplary network adapter 300 that may be coupled 
between a computer and a network like those shown in Figures 1 and 2. Of course, such 
network adapter 300 may be coupled between any computer and any network in any 
desired context. 

It should be noted that the network adapter 300 may include any Peripheral 
Component Interconnect (PCI) card, Industry Standard Architecture (ISA) card, 
Integrated Services Digital Network (ISDN) adapter, cable modem adapter, broadband 
adapter, or any other type of adapter capable of being installed on any sort of housing 
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associated with a desktop, laptop or any other type of computer. Of course, the network 
adapter 300 may comprise any sort of interface between the network and the computer. 

As shown in Figure 3, the network adapter 300 includes a processor 302 in 
5 communication with a standard adapter circuit 304. The processor 302 is further 
coupled to the computer, while the standard adapter circuit 304 is coupled to the 
network. It should be noted that this configuration may vary per the desires of the user. 
For example, the standard adapter circuit 304 may be coupled to the computer, while the 
processor 302 is coupled to the network. 

10 

Such standard adapter circuit 304 may include various voltage regulating 

as: 

3 circuits, a bus, light emitting diode connections, and/or any other conventional circuitry 

U commonly implemented in a network adapter 300. The processor 302 of the network 

X adapter 300 may include a single semiconductor platform or multiple interconnected 

II 1 5 semiconductor platforms with associated logic to accomplish the functionality set forth 
herein. 

5 a 

if The processor 302 of the network adapter 300 may also include a packet 

3 assembler module 305 coupled to the standard adapter circuit 304 for assembling 

20 packets received from the network and packetizing information received from the 
computer. It should be noted that the processor 302 of the network adapter 300 is in 
communication with an operating system network driver 306 associated with the 
computer for receiving outbound data therefrom and further conditionally sending 
inbound data thereto, in a manner that will be set forth in greater detail during reference 
25 to Figure 4. 

Also included is adapter random access memory (RAM) 308 coupled to the 
packet assembler module 305 for storing packets received therefrom. It should be noted 
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that the memory 308 may include any cache or fast memory capable of allowing quick 
storage and/or retrieval of data. 

Still yet, the processor 302 of the network adapter 300 includes a scanner 310. 
5 Such scanner 310 includes anti-virus scanning capabilities. Such scanner 310 may be 
adapted for scanning for known types of security events in the form of malicious 
programs such as viruses, worms, and Trojan horses. Still yet, [0]the scanner 310 may 
be adapted for content scanning to enforce an organization's operational policies [i.e. 
detecting harassing or pornographic content, junk e-mails, misinformation (virus 
10 hoaxes), etc.]. Of course, the scanner 310 may take any other sort of security measures. 

□ Optionally, various virus signature files and other related control information 

m associated with the scanner 310 may be stored on a non-volatile solid state memory (i.e. 

:f~ FLASH RAM). This may be user protected by configuring the network adapter 300 

j =0 15 BIOS with a password that only a user can change, as will soon become apparent. 

□ 

J J As an option, a control module 311 may be used to control the overall operation 

of the network adapter 300. It should be noted, however, that the overall operation may 

□ be controlled in any desired manner. For example, the processor 302 may be controlled 
20 at least in part by way of the computer or a remote administrator communicating via the 

network. 

A user interface driver 312 is coupled to the scanner 310 for facilitating the 
configuration of the scanner 310 and various other aspects of the network adapter 300. 
25 More information on such configurability will be set forth in greater detail during 
reference to Figure 5. 



NAI1P056/01.187.01 



-10- 

Figure 4 illustrates a method 400 for scanning network traffic (i.e. 
communications, data, etc.) utilizing a network adapter. In one embodiment, the present 
method 400 may be used in the context of a network adapter like that mentioned 
hereinabove during reference the previous figure. Of course, the present techniques may 
5 be utilized in any desired context. 

Initially, packets are received in operation 402 from the network. As mentioned 
earlier, this may be accomplished directly or through a standard adapter circuit 304, or 
by any other conduit. Thereafter, the packets are assembled in operation 404. This may 
1 0 be accomplished in any feasible method. For example, the packet assembler module 
305 may utilize header information associated with the packets for assembling the data 

□ fields of the packets. 

!;i As each packet arrives, it is determined whether the packets are of interest. Note 

^ 1 5 decision 406. Such determination may be based on any desired factor such as a source 

of the packet, a protocol associated with the packet, a timing of the packet, contents of 
m the packet, and/or any other desired factor. In any embodiment where certain protocols 

are of interest, a predetermined amount of packets may need to be assembled to first 

□ identify whether the packets are of interest. Table #1 illustrates an exemplary list of 

~ 20 protocols that may be of interest. It should be noted that such list may vary based on a 
security threat that files using a particular protocol pose. 

Table #1 

25 • HTTP file requests 

• FTP file transfers 

• Novell NetWare file transfers 

• Windows Files transfers 
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If the packets are not of interest, as decided in decision 406, the packets are 
bypassed directly to the computer. See operation 407. This may be accomplished by 
bypassing the scanner 310 and RAM 308, and communicating directly with the network 
driver 306 of the computer. By this design, the packets that are not to be scanned are 
5 communicated with the computer as fast as possible. 

If, on the other hand, the packets are of interest, as decided in decision 406, the 
packets are cached in operation 408. For example, they may be stored in the memory 
308. This process continues until it is determined that a file or any other desired unit of 
10 data is complete in decision 410. If the file is not complete, the process continues until 
enough packets of interest are received so as to complete a file. 

:; si 
□ 

f y Once a file is complete, as determined in decision 410, it is then determined 

whether the file is of interest in decision 410. For example, it may be determined that 
';[] 15 only certain files (i.e. executables, etc.) are of interest. It should be noted that such 

determination may not be able to be made at the packet level decision 406. Again, if the 
i'sj file is not of interest, as decided in decision 412, the packets are bypassed directly to the 

computer. See operation 414, This may be again accomplished by bypassing the 
□ scanner 310 and the memory 308, and communicating directly with the network driver 

20 306 of the computer. By this design, files that are not to be scanned are communicated 

with the computer as fast as possible. 

If, however, the file is of interest, a scan is performed, as set forth in operation 
418. In one embodiment, the scan is performed by the scanner 310 on the hardware 
25 processor 302 positioned on the network adapter 300. If it is determined that the file is 
clean in decision 420, the file is transferred to the computer (i.e. network driver 306). 
If, however, any virus, suspicious content, malicious code, etc. is found in decision 420, 
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access may be denied to the computer in operation 424. This way, no contaminated 
packets and/or files reach the computer. 

Further, an alert may be displayed for notifying a user of the denial of access and 
5 contaminated file/packets. As an option, such alert may also provide options as to 
remedies for the situation (i.e. clean, delete, quarantine, etc.). Such alert may be 
conveyed in any desired manner. For example, the alert may be provided to a remote 
administrator, using an indicator on the network adapter, and/or an interface on the 
computer. To accomplish this, such alert may be sent to the user interface driver 312. 

10 

It should be noted that the foregoing process may also be applied to outgoing 
□ packets. This feature may be considered as an option that may be configured in a 

y manner that will soon be set forth. 

^•[j 1 5 To this end, the scanning is accelerated through use of the hardware processor 

for scanning purposes. Further, by the critical positioning of the hardware processor on 
jiy the network adapter, protection is inherently provided whenever network access is 

|~ gained. 

5 

20 Figure 5 illustrates a method 500 for configuring a network adapter scanner, in 

accordance with one embodiment. Again, the present method 500 may be used in the 
context of a network adapter and associated method like that mentioned hereinabove 
during reference to the previous figures. Of course, the present techniques may be 
utilized in any desired context. 

25 

Initially, a computer user or remote administrator may be prompted for a 
password in operation 502. In the case of the user of the computer being prompted, this 
may be accomplished utilizing the user interface driver 312 of Figure 3. On the other 
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hand, in the case of the remote administrator, the password request may be prompted 
using TCP/IP or any other desired network protocol In the case of TCP/IP, the network 
adapter 300 may be assigned a dedicated IP address or MAC address for identification 
purposes. 

If the password is received and verified, it is then determined whether the user or 
remote administrator wishes to update the virus signatures associated with the scanner 
310 of the processor 302 (note decision 508) or configure the network adapter settings 
(note decision 512). 

If an update is to be performed per decision 508, the virus signatures on the 
network adapter 300 may be updated in operation 510. It should be noted that the 
software administering the update maybe positioned off the network adapter 300 on the 
computer or at a remote administrator site. 

If the configuration settings are to be changed per decision 512, a user may alter 
various network adapter 300 settings in operation 514. These settings may range from 
conventional settings to determining which packets and files are of interest in the 
context of the method 400 of Figure 4. Just by way of example, the user may configure 
the packet filtering to enable/disable packet assembling and scanning of HTTP file 
requests. Further, various other heuristics, well known virus scan settings, or the like 
may also be configured. 

As an option, since the memory 308 may have a limited amount of capacity with 
which to store assembled files, the user may be able to set a threshold for the maximum 
size of file to be stored in memory, or possibly prioritize the scanning of files (i.e. 
executables-first, JPEG's-second, etc.) As a further option, direct memory access may 
be used to utilize desktop RAM. 
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While various embodiments have been described above, it should be understood 
that they have been presented by way of example only, and not limitation. For example, 
any of the network elements may employ any of the desired functionality set forth 
hereinabove. Thus, the breadth and scope of a preferred embodiment should not be 
limited by any of the above-described exemplary embodiments, but should be defined 
only in accordance with the following claims and their equivalents. 
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